Unexpected behavior on http status codes. Documentation missing.

When a request is not authenticated or not authorized, the expected http behavior is to return status codes 401 or 403. The implementation instead returns a status code 404 (not found) to discourage malicious actors.
The documentation for this behavior is missing.